Abstract: Approaches presented herein relate to the management of secure secrets, such as digital certificates. When an operation is performed by a certificate authority (CA) with respect to a digital certificate, information for the operation is written to a blockchain (or other distributed and verifiable ledger) in addition to a secure database accessible to the CA. The ability of an external party to access the blockchain and independently verify information about a digital certificate can help to increase a level or assurance in the integrity of the CA, which can be important when an entity wants to act as (or offer) their own private certificate authority. Information in the blockchain can also help to identify “dark” certificates, which may appear valid but were not issued by a CA using a valid and secure process, and thus can be identified by a lack of valid transactions included in the corresponding blockchain.

Abstract: Approaches presented herein relate to the management of secure secrets, such as digital certificates. When an operation is performed by a certificate authority (CA) with respect to a digital certificate, information for the operation is written to a blockchain (or other distributed and verifiable ledger) in addition to a secure database accessible to the CA. The ability of an external party to access the blockchain and independently verify information about a digital certificate can help to increase a level or assurance in the integrity of the CA, which can be important when an entity wants to act as (or offer) their own private certificate authority. Information in the blockchain can also help to identify “dark” certificates, which may appear valid but were not issued by a CA using a valid and secure process, and thus can be identified by a lack of valid transactions included in the corresponding blockchain.

Abstract: Described are automated systems and methods for employing certificate authority meta-resources to facilitate automatic renewal and/or rotation of certificates and/or certificate authorities in a PKI hierarchy. For example, embodiments of the present disclosure can provide creating a certificate authority meta-resource, which can maintain and monitor certain information to facilitate automatic renewal and rotation of certificates and/or certificate authorities in a PKI hierarchy. The certificate authority meta-resource can also keep track of the active certificate authorities and certificates to ensure that trust is maintained without manual configuration of the PKI hierarchy.

Abstract: Techniques are described for enabling users of a certificate management service to create certificate issuance policies that can be applied to certificate issuance requests across both public and private certificate authorities (CAs) and other certificate-related services. According to embodiments described herein, a certificate issuance policy includes one or more certificate issuance rules to be applied to requests associated with one or more specified user accounts or roles for certificate-related resources (e.g., public certificates, private certificates, etc.). The application of a certificate issuance rule can be conditioned on a particular request context (e.g., based on a user account or role associated with a request, a type of certificate requested, a subject name identified in the request, etc.) and can specify a wide range of actions to be performed on requests matching a rule (e.g., allowing or denying a request, modifying one or more parameters of the request, etc.).

Abstract: Techniques for providing specialized certificate authorities are described. A method of providing specialized certificate authorities may include receiving a request to generate a private certificate at a specialized certificate authority, the specialized certificate authority configured to generate only one type of digital certificate using a user-specified template, generating a certificate based on the customer-specified template, and returning the certificate.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. A private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. The certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. The system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Abstract: Approaches presented herein relate to the management of secure secrets in a distributed environment. In particular, various embodiments provide for the management of unique digital identities across multiple regions, where each region can include its own certificate authority. While these certificate authorities may operate independently, they can be part of a multi-primary system where unique identities and keys are stored redundantly across environments. In the event of a failure of a certificate authority in one region, another certificate authority in another region can continue security and authentication management, without a need to issue new identities or change operation of any of the regions. Parties to secure communications, such as application containers, can each receive their own unique identity which can be shared across various regions to allow related tasks (e.g., certificate issuance or revocation) to be performed identically from any of those regions.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, customers may use the certificate management service to generate private certificate authority which can issue signed certificates to network entities within the customer enterprise. In an embodiment, the private certificate authority is hosted by the computing resource service provider, and the certificate management service automates the renewal and management of active certificates. In an embodiment, the certificate management service allows customer applications to create, renew, and revoke certificates issued by both private and public certificate authorities via an application programming interface.

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

Abstract: Techniques are described for enabling users of a certificate management service to create certificate issuance policies that can be applied to certificate issuance requests across both public and private certificate authorities (CAs) and other certificate-related services. According to embodiments described herein, a certificate issuance policy includes one or more certificate issuance rules to be applied to requests associated with one or more specified user accounts or roles for certificate-related resources (e.g., public certificates, private certificates, etc.). The application of a certificate issuance rule can be conditioned on a particular request context (e.g., based on a user account or role associated with a request, a type of certificate requested, a subject name identified in the request, etc.) and can specify a wide range of actions to be performed on requests matching a rule (e.g., allowing or denying a request, modifying one or more parameters of the request, etc.).

Abstract: Techniques for validating digital certificate information before signing are described. A method of validating digital certificate information before signing may include generating a to-be-signed (TBS) certificate, providing the TBS certificate to a certificate pre-issuance validation service to perform one or more validations on the TBS certificate, and receiving a request to issue a signed certificate based on the TBS certificate following validation of the TBS certificate by the certificate pre-issuance validation service.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, when a new certificate is generated, a certificate template is used to apply various settings and policies for the new certificate. In various examples, templates may be used to establish default values, enforce required and optional values, place restrictions on one or more data fields, and enforce signature requirements. In some embodiments, the template establishes rules for rejecting certificate requests that don't conform to the template.

Abstract: Systems and method for generating and managing certificate authorities. For instance, a certificate service may provide one or more user interfaces for creating certificate authorities, such as a root certificate authority, a subordinate certificate authority, and/or an intermediate certificate authority. For example, a user may use a user device to create a certificate hierarchy. The certificate service may also provide one or more user interfaces for issuing certificates using the certificate authorities. One or more computing resources may then use the end-entity certificates issued from the certificate authority hierarchy for authentication and/or encryption. For security purposes, the certificate authority may also allow the user to set policies representing users that are able to access and/or utilize the certificate authorities to perform actions, such as issuing certificates.

Abstract: In an embodiment, a computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. In an embodiment, a private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. In an embodiment, the certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. In an embodiment, the system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Abstract: A service provider network includes a certificate manager that auto-generates and auto-renews security certificates for customers of the provider network. The security certificates may be usable to implement a Secure Sockets Layer (SSL) protocol, or other types of security protocols. The certificate manager generates a public key, private key pair for the customer, generates the certificate signing request (CSR) on behalf of the customer, transmits the CSR to the certificate authority (CA), and binds the resulting CA-generated certificate and private key to whatever internet-facing service the customer chooses (e.g., a load balancer).